Windows 7 svchost.exe "clone" using 100% CPU

JaieHRDec 11, 2013, 2:13 PM

I''ve been having a really strange problem with my Windows 7 Machine.

It would work normally for a few days and then out of nowhere it would Slow Down drastically, when I check the taskamager to look for any process taking up too much resources I would always find this particular svchost.exe process taking up arround 92% to 98% CPU.

The odd thing is that when I try to find which service it is related to, my task manager won't show me any related services, also on the Description column it will only show "svchost.exe"

However if I terminate this process it doesn't seem to affect anything on the system unlike the other svchost.exe listed there, which have thier description displayed correctly.

I've been googling for similar issues but I've had no luck, I've used different antivirus, anti-spyware and anti-malware scans to check for malicious software but I get no results other than tracking cookies and such (which I already deleted off course) but the problem presists.

If anyone has an idea of what could be calling this svchost.exe "Clone" please let me know.

Right hand click on the process in task manager and click "Open File Location".For the real service host processes, I think this will be C:\Windows\System32, but check on your system.For the fake one, do the same thing and see if this is in a different location.The fake one may not be a virus, but any software impersonating a Windows executable is probably up to no good.

Right hand click on the process in task manager and click "Open File Location".For the real service host processes, I think this will be C:\Windows\System32, but check on your system.For the fake one, do the same thing and see if this is in a different location.The fake one may not be a virus, but any software impersonating a Windows executable is probably up to no good.

Thanks for your replay, I've not had this issue to appear again for now but I'll follow your advice when it does.

Today I tried a file search for svchost.exe I found an svchost file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp which is about 6.73 MB while the one on C:\Windows\System32 is less than 30 KB.

Could this be the file that's taking 100% CPU? Is it safe to delete it?

Doing the same search on a different Windows 7 Machine does not show any svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp.

UPDATE

The issue appeared again as soon as I finished my replay...

I followed your instructions and it did take me to C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp.

Right hand click on the process in task manager and click "Open File Location".For the real service host processes, I think this will be C:\Windows\System32, but check on your system.For the fake one, do the same thing and see if this is in a different location.The fake one may not be a virus, but any software impersonating a Windows executable is probably up to no good.

Thanks for your replay, I've not had this issue to appear again for now but I'll follow your advice when it does.

Today I tried a file search for svchost.exe I found an svchost file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp which is about 6.73 MB while the one on C:\Windows\System32 is less than 30 KB.

Could this be the file that's taking 100% CPU? Is it safe to delete it?

Doing the same search on a different Windows 7 Machine does not show any svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp.

UPDATE

The issue appeared again as soon as I finished my replay...

I followed your instructions and it did take me to C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp.

Generally anything in a Temp directory can be deleted.To be on the safe side, just more the file somewhere else so that whatever is running the file can't find it.Give the machine a reboot, if everything still works correctly you didn't need the file.

I decided to delete the svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp but I would still get an svchost.exe file using 92-98% CPU, when right click -> Open File Location I found out there was a new svchost.exe in there about the same size as the last one I deleted (almost 7mb).

After that, I deleted it again and created a folder called "svchost.exe" inside C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp to prevent whatever is creating that file on that location to do so again.

Since then, I haven't had any more problems and my computer is running fine now.

However I'm still not sure what could be creating that svchost.exe file.

I decided to delete the svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp but I would still get an svchost.exe file using 92-98% CPU, when right click -> Open File Location I found out there was a new svchost.exe in there about the same size as the last one I deleted (almost 7mb).

After that, I deleted it again and created a folder called "svchost.exe" inside C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp to prevent whatever is creating that file on that location to do so again.

Since then, I haven't had any more problems and my computer is running fine now.

However I'm still not sure what could be creating that svchost.exe file.

You almost certainly have a trojan.Malware often protects itself by having a second process running to recreate the first.The high CPU usage means this could be someone using your computer for computation (e.g. bitcoin mining).Some supposedly legal browser toolbars are now doing this.

I decided to delete the svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp but I would still get an svchost.exe file using 92-98% CPU, when right click -> Open File Location I found out there was a new svchost.exe in there about the same size as the last one I deleted (almost 7mb).

After that, I deleted it again and created a folder called "svchost.exe" inside C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp to prevent whatever is creating that file on that location to do so again.

Since then, I haven't had any more problems and my computer is running fine now.

However I'm still not sure what could be creating that svchost.exe file.

You almost certainly have a trojan.Malware often protects itself by having a second process running to recreate the first.The high CPU usage means this could be someone using your computer for computation (e.g. bitcoin mining).Some supposedly legal browser toolbars are now doing this.